User Profile
EricBBB
Copper Contributor
Joined Aug 16, 2021
User Widgets
Recent Discussions
Windows Hello for Business: Internet Requirement for On-Premises Login Using Cloud Kerberos Trust
Hello everyone, I've recently begun testing Windows Hello for Business in our environment, where we utilise Microsoft Entra hybrid join authentication with cloud Kerberos trust. I suspect that our on-premises physical firewall may be contributing to several issues we're experiencing, and I would like to clarify my understanding of hybrid join authentication using cloud Kerberos trust. To access the internet, we use SSO with our firewall, meaning that after validating local AD credentials, the user gains access to the public network. My question is: Is internet access required for on-premises logins when using Windows Hello for Business? From my research on Microsoft's https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/how-it-works-authentication#microsoft-entra-hybrid-join-authentication-using-cloud-kerberos-trust, it appears that if you're using cloud Kerberos trust and the PC is blocked from the internet, the Windows Hello for Business sign-in will fail. Essentially, the on-premises Domain Controller can only issue the final Ticket Granting Ticket (TGT) after receiving a valid Partial TGT from Microsoft Entra ID. This would imply that if the machine cannot reach Microsoft Entra ID due to firewall restrictions, the user will be unable to log in. In our case, the user successfully enrolled the device on-premises, but the next morning they encountered the error "PIN isn't available: 0xc000005e 0x0." Could anyone confirm whether my understanding is correct? Thank you for your assistance!SolvedRe: Entra OU sync vs group filtering
I have a thought I need to confirm. If I choose "Sync all domains and OUs" in Domain and OU filtering and then specify a particular security group containing my test users in the Filtering section, and subsequently, the on-premise AD's security group is deleted by mistake, the users within Entra would not be soft-deleted, correct? This is because they are still part of the enabled OU, according to the Venn diagram.1.6KViews0likes1CommentRe: Entra OU sync vs group filtering
Thank you, Lain, for sharing your knowledge! Generally, I would test each scenario, but I was concerned that synchronizing just one test OU during the initial configuration might result in the loss of all my existing Entra users, leaving only those assigned the test OU 🙂1.7KViews0likes5CommentsRe: Entra OU sync vs group filtering
LainRobertson What are your thoughts on gradually synchronizing users to Entra ID by adding one OU at a time, for example: Sales OU today, Finance tomorrow? When returning to Entra Connect Sync, will the previously selected OUs remain visible, or does the process starts again from the beginning?2.1KViews0likes7CommentsEntra OU sync vs group filtering
Hello, Currently, we are utilising Microsoft 365 Business Standard with a free Entra ID, but we also have a trial version of M365 Business Premium that I would like to test for a couple of users and computers running Microsoft Windows. For testing purposes, I would like to synchronise those users and devices from on-premise Active Directory to the Entra ID using Entra Connect Sync. I am contemplating which option I should choose: The users (and devices) I want to synchronize are located in a specific Organizational Unit (OU) in Active Directory, but the users also have accounts in Entra ID and mailboxes in Exchange Online. I know that Entra Connect Sync is not destructive, but I am unsure whether to choose "Sync all domains and OUs" during installation and then use filtering to select the security group to which the test users (and devices) belong or would it be better to directly choose only the specific OU containing the users and skip filtering? In the future, I plan to synchronize all users. An additional question: if I choose only one OU, will it not clear the others, existing Entra ID users who are not members of the on-premise OU?SolvedM365 Business Premium - Defender for Business
Hi Everyone, I'm having some difficulty and was hoping you could help me with my question. Does the Defender for Business included with M365 Business Premium have any kind of Vulnerability Scanner? Specifically, does it report vulnerabilities in third-party applications installed on endpoints? I know that Microsoft Defender Vulnerability Management is available as a standalone product and as an add-on for Microsoft Defender for Endpoint Plan 2 customers. From what I’ve researched, Defender for Business includes some features of Defender for Endpoint Plan 2. How does this compare to M365 Business Premium? It seems to me that while some features are included, it isn't the full Microsoft Defender for Endpoint Plan 2 experience. Thanks!686Views0likes2Comments
Recent Blog Articles
No content to show